diff options
| -rw-r--r-- | debian/changelog | 8 | ||||
| -rw-r--r-- | debian/patches/CVE-2016-1283.patch | 47 | ||||
| -rw-r--r-- | debian/patches/series | 1 | ||||
| -rw-r--r-- | pcre_compile.c | 7 | ||||
| -rw-r--r-- | testdata/testinput2 | 2 | ||||
| -rw-r--r-- | testdata/testoutput2 | 2 |
6 files changed, 66 insertions, 1 deletions
diff --git a/debian/changelog b/debian/changelog index 7d516a9..0621273 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +pcre3 (2:8.38-3.1) unstable; urgency=medium + + * Non-maintainer upload. + * CVE-2016-1283: heap buffer overflow in handling of duplicate named + groups (Closes: #809706) + + -- Salvatore Bonaccorso <carnil@debian.org> Tue, 22 Mar 2016 21:05:13 +0100 + pcre3 (2:8.38-3) unstable; urgency=low * Apply Ubuntu patch from Iain Lane (modified by Graham Inggs) to add diff --git a/debian/patches/CVE-2016-1283.patch b/debian/patches/CVE-2016-1283.patch new file mode 100644 index 0000000..f05535b --- /dev/null +++ b/debian/patches/CVE-2016-1283.patch @@ -0,0 +1,47 @@ +From b7537308b7c758f33c347cb0bec62754c43c271f Mon Sep 17 00:00:00 2001 +From: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> +Date: Sat, 27 Feb 2016 17:38:11 +0000 +Subject: [PATCH] Yet another duplicate name bugfix by overestimating the + memory needed (i.e. another hack - PCRE2 has this "properly" fixed). + +git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1636 2f5784b3-3f2a-0410-8824-cb99058d5e15 +--- + pcre_compile.c | 7 ++++++- + testdata/testinput2 | 2 ++ + testdata/testoutput2 | 2 ++ + 4 files changed, 17 insertions(+), 1 deletion(-) + +--- a/pcre_compile.c ++++ b/pcre_compile.c +@@ -7289,7 +7289,12 @@ for (;; ptr++) + so far in order to get the number. If the name is not found, leave + the value of recno as 0 for a forward reference. */ + +- else ++ /* This patch (removing "else") fixes a problem when a reference is ++ to multiple identically named nested groups from within the nest. ++ Once again, it is not the "proper" fix, and it results in an ++ over-allocation of memory. */ ++ ++ /* else */ + { + ng = cd->named_groups; + for (i = 0; i < cd->names_found; i++, ng++) +--- a/testdata/testinput2 ++++ b/testdata/testinput2 +@@ -4217,4 +4217,6 @@ backtracking verbs. --/ + + /a[[:punct:]b]/BZ + ++/((?J)(?'R'(?'R'(?'R'(?'R'(?'R'(?|(\k'R'))))))))/ ++ + /-- End of testinput2 --/ +--- a/testdata/testoutput2 ++++ b/testdata/testoutput2 +@@ -14574,4 +14574,6 @@ No match + End + ------------------------------------------------------------------ + ++/((?J)(?'R'(?'R'(?'R'(?'R'(?'R'(?|(\k'R'))))))))/ ++ + /-- End of testinput2 --/ diff --git a/debian/patches/series b/debian/patches/series index 0d18b90..b766780 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -6,3 +6,4 @@ soname.patch no_jit_x32_powerpcspe.patch Disable_JIT_on_sparc64.patch apply-upstream-revision-1631-closes-8159 +CVE-2016-1283.patch diff --git a/pcre_compile.c b/pcre_compile.c index 1bc2b7f..29300d0 100644 --- a/pcre_compile.c +++ b/pcre_compile.c @@ -7289,7 +7289,12 @@ for (;; ptr++) so far in order to get the number. If the name is not found, leave the value of recno as 0 for a forward reference. */ - else + /* This patch (removing "else") fixes a problem when a reference is + to multiple identically named nested groups from within the nest. + Once again, it is not the "proper" fix, and it results in an + over-allocation of memory. */ + + /* else */ { ng = cd->named_groups; for (i = 0; i < cd->names_found; i++, ng++) diff --git a/testdata/testinput2 b/testdata/testinput2 index e2e520f..36bae1e 100644 --- a/testdata/testinput2 +++ b/testdata/testinput2 @@ -4217,4 +4217,6 @@ backtracking verbs. --/ /a[[:punct:]b]/BZ +/((?J)(?'R'(?'R'(?'R'(?'R'(?'R'(?|(\k'R'))))))))/ + /-- End of testinput2 --/ diff --git a/testdata/testoutput2 b/testdata/testoutput2 index 85c565d..b5ff70d 100644 --- a/testdata/testoutput2 +++ b/testdata/testoutput2 @@ -14574,4 +14574,6 @@ No match End ------------------------------------------------------------------ +/((?J)(?'R'(?'R'(?'R'(?'R'(?'R'(?|(\k'R'))))))))/ + /-- End of testinput2 --/ |